diff mbox series

[meta-webserver,scarthgap] nginx: patch CVE-2026-48142

Message ID 20260623092018.2397141-1-tgaige.opensource@witekio.com
State New
Headers show
Series [meta-webserver,scarthgap] nginx: patch CVE-2026-48142 | expand

Commit Message

tgaige.opensource@witekio.com June 23, 2026, 9:20 a.m. UTC 
From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com>

Backport patch [1] mentioned in [2].

[1] https://github.com/nginx/nginx/commit/60c4243eb8775d51662a01def8a7dad5d9fb34a7

[2] https://security-tracker.debian.org/tracker/CVE-2026-48142

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
---
 .../nginx/nginx-1.24.0/CVE-2026-48142.patch   | 43 +++++++++++++++++++
 .../recipes-httpd/nginx/nginx_1.24.0.bb       |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-48142.patch
diff mbox series

Patch

diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-48142.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-48142.patch
new file mode 100644
index 0000000000..f3c5ec4f7a
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-48142.patch
@@ -0,0 +1,43 @@ 
+From f0a5aa7beb3d210753dfb104dcfd873bf1af35f0 Mon Sep 17 00:00:00 2001
+From: Sergey Kandaurov <pluknet@nginx.com>
+Date: Mon, 1 Jun 2026 21:46:48 +0400
+Subject: [PATCH] Charset: fixed another rare buffer overread in
+ recode_from_utf8()
+
+With prerequisites similar to 696a7f1b9, it was possible to gain 1-byte
+overread on invalid UTF-8 sequences.  The reason is ngx_utf8_decode()
+stops advancing the pointer position on the first encountered invalid
+byte.  The fix is to adjust the advanced pointer up to the whole saved
+sequence in this case.  Note that this may result in different output
+compared to complete invalid UTF-8 sequences, which we can disregard
+at this point.
+
+Reported by Han Yan of Xiaomi and p4p3r of CYBERONE.
+
+(cherry picked from commit 60c4243eb8775d51662a01def8a7dad5d9fb34a7)
+
+CVE: CVE-2026-48142
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/60c4243eb8775d51662a01def8a7dad5d9fb34a7]
+Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
+---
+ src/http/modules/ngx_http_charset_filter_module.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/http/modules/ngx_http_charset_filter_module.c b/src/http/modules/ngx_http_charset_filter_module.c
+index 7a518e3..ed80b5e 100644
+--- a/src/http/modules/ngx_http_charset_filter_module.c
++++ b/src/http/modules/ngx_http_charset_filter_module.c
+@@ -855,6 +855,10 @@ ngx_http_charset_recode_from_utf8(ngx_pool_t *pool, ngx_buf_t *buf,
+         ngx_log_debug0(NGX_LOG_DEBUG_HTTP, pool->log, 0,
+                        "http charset invalid utf 1");
+ 
++        if (saved < &ctx->saved[ctx->saved_len]) {
++            saved = &ctx->saved[ctx->saved_len];
++        }
++
+     } else {
+         dst = ngx_sprintf(dst, "&#%uD;", n);
+     }
+-- 
+2.43.0
+
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
index dee6c6618e..8498ce766e 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
@@ -15,6 +15,7 @@  SRC_URI:append = " \
                   file://CVE-2026-42946-01.patch \
                   file://CVE-2026-42946-02.patch \
                   file://CVE-2026-9256.patch \
+                  file://CVE-2026-48142.patch \
 "
 
 SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"